WAS v8.5 > Secure applications > Authorizing access to resources > Authorization technology

Authorization providers

WebSphere Application Server supports authorization based on the Java Authorization Contract for Containers (JACC) specification in addition to the default authorization.

JACC is a specification introduced in Java EE1.4. It enables third-party security providers to manage authorization in the application server.

In WAS version 7.0, Java Authorization Contract for Containers (JACC) specification 1.4 was applied. In JACC specification 1.4, we support Java EE5 that includes Servlet 2.5 and EJB 3. The biggest functional change with the introduction of JACC specification 1.4 is the inclusion of annotations for propagating security policy information.

When security is enabled in WAS, the default authorization is used unless a JACC provider is specified. The default authorization does not require special setup, and the default authorization engine makes all of the authorization decisions. However, if a JACC provider is configured and set up for WAS to use, all of the enterprise beans and web authorization decisions are delegated to the JACC provider.

WAS supports security for Java EE applications and also for its administrative components. Java EE applications, such as Web and EJB components are protected and authorized per the Java EE specification. The administrative components are internal to WAS and are protected by the role-based authorizer. The administrative components include the dmgr console, MBeans, and other components such as naming and security. For more information on administrative security, see Role-based authorization.

When a JACC provider is used for authorization in WAS, all of the Java EE application-based authorization decisions are delegated to the provider per the JACC specification. However, all administrative security authorization decisions are made by the WAS default authorization engine. The JACC provider is not called to make the authorization decisions for administrative security.

When a protected Java EE resource is accessed, the authorization decision to give access to the principal is the same whether using the default authorization engine or a JACC provider. Both of the authorization models satisfy the J2EE specification, and function the same. Choose a JACC provider only when we want to work with an external security provider such as Tivoli Access Manager. In this instance, the security provider must support the JACC specification and be set up to work with WAS. Setting up and configuring a JACC provider requires additional configuration steps, depending on the provider. Unless we have an external security provider that we can use with WAS, use the default authorization.


Subtopics


Related concepts:

Authorization technology


Related


Enable an external JACC provider
Authorizing access to Java EE resources using Tivoli Access Manager
Propagating security policy of installed applications to a JACC provider using wsadmin.sh


Reference:

Interfaces that support JACC
Security authorization provider troubleshooting tips


+

Search Tips   |   Advanced Search